Skip to main content

Operations Runbook

Operator-facing notes for running the broker in production: admin access, health, databases, password write-back, and where the quality baselines live.

Admin access & MFA

  • Admin MFA is mandatory. Every administrator (including the configured bootstrap and break-glass accounts) must enroll a second factor before reaching /admin/**. On first sign-in an admin is routed to enrollment automatically; this is enforced both at login and on every admin request.
  • Scoped admin roles are enforced. A role like Help Desk Administrator or Read-Only Administrator grants only its permissions — it is not equivalent to Super Administrator. Grant least privilege.
  • Break-glass. Keep the break-glass account credentials sealed and audited; it is a real DB-backed admin and is also subject to MFA enrollment.

Health & readiness

Actuator health groups are exposed for orchestration:

EndpointUse
/actuator/health/liveliveness probe
/actuator/health/readyreadiness probe (includes DB)
/actuator/health/detailedfull component health (admin-only)

Databases

  • PostgreSQL (default): schema is managed by Flyway migrations (db/migration). This is the recommended production database.
  • MySQL: the Flyway migrations are Postgres-specific, so on the mysql profile the broker disables Flyway and builds the schema from the JPA entities (ddl-auto=update, with identifier quoting for reserved words). Functional, but Postgres remains the reference. See Deployment → Database Configuration.
  • Set the database with DB_TYPE=postgresql|mysql.

Password write-back (hybrid AD/Entra)

If configured, a password change in the portal (or an admin reset / forgot-password reset) is written back to on-prem Active Directory over LDAPS, which Azure AD Connect then syncs up to Entra.

  • Prerequisites: a DC reachable on LDAPS 636, a service account with delegated Reset Password rights, and CA trust for the DC certificate.
  • The write-back is asynchronous and best-effort with retry — the user's local change always succeeds even if the directory is briefly unavailable; outcomes are audited.
  • New passwords must satisfy the directory's complexity/history policy (rejections are surfaced).

Quality & compliance baselines

These living artifacts are regenerated from test runs (see deliverables/PBS-SOW-001/):

  • Validation reportNX-05_Validation_Report (capability/persona coverage, findings ledger).
  • Accessibility baselineNX-06_Accessibility_Baseline (WCAG 2.1 AA / VPAT input).
  • Security baselineNX-07_Security_Baseline (dependency/CVE scan + recommended CI scanners).

Engineering dashboards: the Playwright HTML report + screenshot gallery under e2e/.